7 Cloud Security Best Practices
January 5, 2016
This post addresses overarching cloud security best practices. There are numerous factors that alter and impact these practices, including the type of cloud computing model, the Cloud Service Provider (CSP), and the size of the organization.
1. Risk Management: The Core Practice
For organizational security practices, everything should revolve around risk management. You should assess, address, and reduce the security risks associated with the IT system’s connections to the external cloud services and infrastructure. Then select the security controls to utilize and monitor the ongoing effectiveness of those controls.
Risk management is an extensive practice stretching across numerous aspects of organizational operations. IT security management must come together with the management team to see how analyzed risks impact numerous aspects of the business for every component from finances to brand reputation. When selecting a CSP, this should be a central discussion point with the management team and CSP contact.
The Risk Management Framework (RMF) course expands on the approach for risk managers within government and non-government entities.
2. Define Roles and Responsibilities
This practice is as straight forward as it appears. Define the roles and responsibilities of the IT management and security team members. Who manages communication with the CSP security point-of-contact?
Not every IT security team has established roles. This failure results in overlaps and confusion in duties, incompetence and noncompliance of the security policy. Cloud security success depends on the internal as much as the external services and staff of the CSP. Yes, your management may worry about insider attacks or personnel error on the CSP end, but this possible risk exists internally as well.
Also, consider the importance of knowing the roles, duties, and names of the CSP’s personnel responsible for your data security. Do they properly segregate duties to keep the logical components separate from the hardware? Who is responsible for preventing insider attacks, data leakage, and do they have procedures documenting what personnel handles the prevention, mitigation, and recovery of data? We will not dive further into what to expect from a CSP in this blog post.
3. Create a Living Security Policy
Organizations must create, promote, review, and enforce a clearly defined and understood security policy. The policy scope should entail the type of cloud infrastructure services (SaaS, PaaS, or IaaS), the CSP, and the type of cloud (public, private, or hybrid). The policy should contain all aspects of information security.
This process involves lengthy documentation, collaboration and feedback across all organizational departments, and ongoing reviews for improvement. The security policy should stand as a living, breathing document, well-known throughout the organization, where every person is held accountable for their role and actions. Only when all personnel comprehend the importance of such a policy, will security be taken seriously.
The security policy’s effectiveness is only as successful as the promotion and organizational awareness. IT management must establish awareness for all employees and ensure they understand their limitations and responsibilities as outlined per the policy.
The policy should contain documentation and plans for access management, auditing, vulnerability scanning, data encryption, software and hardware intrusion prevention, disaster recovery, business continuity, and even a data loss prevention policy. It’s not enough to state and outline the security controls established.
The organizational policy must stand separate from or include a section pertaining to the Cloud Service Provider (CSP). You utilize the CSP’s infrastructure, services, and security controls, but you must account for the failure of the CSP’s services and security in case of a data breach, vulnerability, or other critical issues. Include back up plans and documentation for every potential scenario. The CSP may boast a proven track record of protecting company data, they may have a solid defense and DLP policy in place, they may have a clearly stated SLA and security policy that puts the customer first, but you must account for the “what ifs” within your policy. Not all business relationships and services are guaranteed to last. Nothing is absolute. Account for the failure or breach of contract for the CSP.
When creating or amending the organizational security policy, address how the current or potential CSP affects the policy and present security controls.
4. Perform Audits
Although data storage remains the primary responsibility of the CSP, IT security teams must secure, protect, and mitigate possible threats on their end. Their means of protection depends on effective and ongoing auditing. In the auditing process, security personnel should verify compliance according the the security policy, test and analyze the effectiveness of security controls.
Exploit the Infrastructure with Penetration Testing
What’s a smart way to identify system holes? Hire a hacker to attack your system.
Ensure system security against exploits and vulnerabilities through penetration testing. This auditing practice is costly, but essential for cloud security. Independent professionals not connected with your organization perform the best work since they provide an objective fresh set of eyes on the systems.
Before signing a SLA (Service Level Agreement) with the CSP, check to see that they permit the usage of independent penetration testing.
Scan for Vulnerabilities
Periodical vulnerability scanning of the cloud infrastructure is critical to maintaining security. Scan the cloud management platform, servers, and network devices to ensure comprehensive sytem security of the entire infrastructure. Employ software monitoring tools such as Nmap, Jack the Ripper, and Nessus to check for weak passwords, known and unknown vulnerabilities, configuration errors, and other common and uncommon issues.
When performing these scans, you should have different goals. First of all, the scan enables you to catalog all components for the purpose of verifying configuration management data. Secondly, scanning empowers the organization to act from the hacker’s perspectives to review and unearth known and unknown vulnerabilties.
IT teams should conduct two types of scans. They should scan the systems from the outside. They should also conduct authenticated scans from the inside where more information about the systems and security can be gathered.
The final step of vulnerability scanning includes storing the data accumulated from the process. Once stored in a database, auditors can review and analyze the data to recognize attack trends, configuration errors, and additional issues over time.
5. Access and Log Management
As specified in the security policy, a strict access management program must exist to prevent and reduce intrusions. Most breaches are attributed to human error, typically due to an end user who lacks security awareness, establishes poor passwords, and does not manage their personal security with adequate attention. Blame for this negligence also falls on the IT security personnel responsible for implementing and educating all personnel about access management.
Smart access management accounts for human error and laziness. Resolve most intrusion issues with access management through two-factor authentication with the usage of physical tokens, digital certificates, biometry, password cards, or SMS passwords to strengthen user access. Username credentials and user created passwords are not sufficient in the present age due to the sophistication and patience of social engineering attacks.
There should be a common understanding regarding access management between the internal IT team and the CSP. The IT team must communicate their access management policy to ensure correct access to sensitive data for their personnel. Access should not depend on a person’s priority level, experience, or job title. Even senior members should not have access to data or services unless the IT team and management determine that access as absolutely necessary. Delegation of this task of who can access what is tricky, sensitive, and time consuming initially. However, if properly implemented and managed, this prevents security holes and isolates incidents if they occur due to access control.
Monitor systems logs to ensure data security and further evaluate the success of internal monitoring. By automating this task and pushing the scanning logs to secure databases, this enables auditors to review and analyze data for common configuration errors and attack trends. This analysis proves vital for threat mitigation.
6. Configuration Management (CM) and Change Control (CC)
This practice often slips through the cracks and causes substantial problems for security in general. Configuration management and change control prove troublesome when relying on a CSP without clear lines of communication. When employing a CSP, you are responsible for communicating and documenting configuration management and change control for the organization.
Older and vulnerable configurations often back their way back into production or changes never fully go through due the impact on functionality that’s never addressed by management and end users within the organization.
Therefore, management and all associated personnel responsible for this practice should take the critical steps to establish processes for configuration management and change control. Since organizations often operate on fast and larger scales, manual processes aren’t realistic. Organizations must rely on automation for these processes that is backed up with manual processes in case of failure.
7. Maintain a Data Loss Prevention (DLP) Policy
How does your Data Loss Prevention (DLP) policy align with the CSP’s DLP? Do they have an adequate DLP in place to reduce data loss and does not allow compromised data to leave the network?
With this practice in mind, you must implement disaster recovery plans that correlate with a disaster recovery or compromise management plan of the CSP. Part of planning for cloud security entails preparing for the event of compromised systems. The disaster recovery plan should contain steps for incident response.
Question: What cloud security best practices does your IT team follow?